• United States



by Paul Kerstein

Worm With Rootkit Hits AOL Chat Service

Nov 01, 20052 mins
CSO and CISOData and Information Security

Links leading to a worm that eventually implants a nasty rootkit on auser’s computer are popping up on America Online Inc.’s (AOL) InstantMessenger network, security researchers are reporting.

The URL (uniform resource locator) is passed through instant messageson a person’s Buddy List and in AOL chat rooms, Websense Inc. reported.Some versions of the URL have been taken down, and all were hosted onpersonal Web pages, the company said. Users see an IM (instant message)that says “see thing!!” or “hilarious,” followed by a URL.

Clicking on the link starts a known worm, W32/Sdbot-ADD, which thentransmits the lockx.exe rootkit, according to an advisory posted Fridayby FaceTime Communications Inc., which is based in Foster City,California. The code allows an attacker to monitor the computer andupload or download files.

It also attempts to shut down antivirus programs in addition toinstalling a backdoor that could be used to install more software. Thelockx.exe rootkit connects to an IRC (Internet relay chat) server andwaits for remote commands.

Additional annoyances include changing the home page on the Internetbrowser and downloading applications from vendors such as 180solutions,Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle,FaceTime said.

By Jeremy Kirk – IDG News Service (London Bureau)